[tialaramex]

"it looks like we'll be ok" remains their status on the problem of whether it's fine to just take SSH keys and use them for something quite different.

That's just not good enough. It was fine in early drafts because there was hope they'd remember that "Solve all of the world's problems" was not their goal, and so SSH keys might be irrelevant in later revisions anyway. It's not fine in something intended to actually ship.

Either get somebody to put lots of work in to verify that yes, it's definitely safe to do this as SSH stands today, and contact SecSH WG or Sec Dispatch or whoever to make sure they know you're doing this now - or, as seems much more likely, rip out all the SSH key code and highlight that line about how you don't want to do key distribution in age because it's hard.

PGP is full of things its creators thought might be safe that you now have to tell people not to do because it turns out they're unsafe. This tool should not recapitulate their mistake.

[FiloSottile]

I am fairly confident the SSH key reuse is fine, or I wouldn't have shipped it. But yes, it would be a misrepresentation to say there are formal proofs of it. There's no one I can think of that we can pay in short order to make robust ones. FWIW, we don't really have proofs for ECDSA either, and it's been almost 30 years. (Anyway, the core age flow with native keys is unaffected.)